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Abstract: Although good encryption functions are probabilistic, most symbolic models do not capture this 
aspect explicitly. A typical solution, recently used to prove the soundness of such models with respect to 
computational ones, is to explicitly represent the dependency of ciphertexts on random coins as labels. 

In order to make these label-based models useful, it seems natural to try to extend the underlying decision 
procedures and the implementation of existing tools. In this paper we put forth a more practical alternative 
based on the following soundness theorem. We prove that for a large class of security properties (that includes 
rather standard formulations for secrecy and authenticity properties) , security of protocols in the simpler model 
implies security in the label-based model. Combined with the soundness result of (?) our theorem enables the 
translation of security results in unlabeled symbolic models to computational security. 
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La modelisation du chiffrement probabiliste ne necessite pas une 

representation explicite de l'alea 

Resume : Bien que de nombreuses fonctions cryptographiques soient probabilistes, la plupart de modeles 
symboliques ne prennent pas explicitement en compte cet aspect. Pour prouver la correction de ces modeles 
par rapport aux modeles computationnels, il est pourtant souvent necessaire de representer explicitement l'alea 
utilise dans le chiffrement, a l'aide par exemple d'etiquettes. 

II semble alors necessaire d'etendre les procedures de decision sous-jacentes et l'implementation des outils 
existants aux modeles bases sur des etiquettes. Dans cet article, nous proposons une alternative plus pratique, 
basee sur le theoreme de correction suivant. Nous prouvons que, pour une grande classe de proprietes de securite 
(comme les proprietes standards de secret et d'authentification), la securite de protocoles dans un modele sans 
etiquettes implique la securite dans les modeles avec etiquettes. En combinaison avec le resultat de correction 
de (?), notre theoreme permet de transferer les resultats de securite des modeles symboliques sans etiquettes 
vers la securite computationnelle. 

Mots-cles : Chiffrement probabiliste, modeles de securite, verification des protocoles, secret, authentification 
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1 INTRODUCTION 

Designers of mathematical models for computational systems need to find appropriate trade-offs between two 
seemingly contradictory requirements. Automatic verification (and thus usability) typically requires a high 
level of abstraction whereas prediction accuracy requires a high level of details. >From this perspective, the 
use of symbolic models for security analysis is particularly delicate since it seems that the inherent high level of 
abstraction at which such models operate is not able to capture all aspects that are relevant to security. This 
paper is concerned with one particular such aspect, namely the use of randomization in the construction of 
cryptosystems [Goldwasser and Micali, 1984]. 

A central feature of the computational, complexity-based models is the ability to capture and reason explicitly 
about the use of randomness. Moreover, randomness is essential to achieve any meaningful notion of security 
for encryption. In contrast, symbolic models rarely represent randomness directly. For example, a typical 
representation for the encryption of message m under the public key of entity B is the term {m} ek ( b) ■ Notice that 
the symbolic representation does not capture the dependency on the randomness used to generate this ciphertext. 
While this abstraction may be sufficiently accurate in certain settings [Micciancio and Warinschi, 2004], in some 
other settings it is not sufficient. 

Consider the following flow in some toy protocol: 

A — > B : {m} ek(B) , {{m} ek(B) } ek(B) 

To implement this flow, each occurrence of {m} e k(s) is mapped to a ciphertext. Notice however that the 
pictorial description does not specify if the two occurrences of {m} ek (B) are equal (created with identical coins) 
or different (created with different coins). In rich enough protocol specification languages disambiguating 
constructs as above can be easily done. For instance, in a language that has explicit assignments, the two 
different interpretation for the first message of the protocol can be obtained as 

x := {m}ek(i3);send(x, {x} ek(B) ) and send({m} ek(£ >), {{m} ek(B) } ek(B) ) 

Here, each distinct occurrence of {m} ek (B) is interpreted with different randomness. Other approaches adopt a 
more direct solution and represent the randomness used for encryption 
explicitly [Herzog, 2004, Abadi and Jiirjens, 2001, Lowe, 2004, Cortier and Warinschi, 2005]. If we write {m} l ek ( B 
for the encryption of m under the public key of B with random coins I, the two different interpretations of the 
flow are: 

send({m}^ k(B) , {{m}^ k(s) }^ k(s) ) and send({m}£ (B) , {{m}£ (B) }£ (B) ) 

A model that employs labels to capture the randomness used in ciphertexts (and signatures) has recently been 
used to establish soundness of symbolic analysis with respect to computational 
models [Cortier and Warinschi, 2005]. Their results are based on an emulation lemma: for protocol executions, 
every computational trace can be mapped to a valid symbolic trace. The mapping is then used to translate 
security properties that hold in the symbolic model to computational analogues. The next step towards making 
the soundness result relevant to practice is to carry out the security proofs using some (semi-) automated tools 
for the symbolic model. 

However, to the best of our knowledge, none of the popular tools (ProVerif [Blanchet, 2001], 
CASPER [Lowe, 1997a], Athenta [Song, 1999], AVISPA [Armando et al., 2005]), offers capabilities for auto- 
matically reasoning in models that use labels. There are at least two solutions to this problem. One possibility 
is to enhance the symbolic models that underlie existing tools. Unfortunately such a modification would proba- 
bly require significant effort that involves adapting existing decision procedures, proving their correctness, and 
verifying and modifying thousands of lines of code. 

In this paper we put forth and clarify an alternative solution, used implicitly in [Cortier and Warinschi, 2005]. 
The idea is to keep existing tools unchanged, use their underlying (unlabeled) model to prove security properties, 
and then show that the results are in fact meaningful for the model with labels. The main result of this paper 
is to prove that for a large class of security properties the approach that we propose is indeed feasible. 

We are currently implementing an AVISPA module for computationally sound automatic proofs based on 
the results of this paper. 

Results. We consider the protocol specification language and the execution model developed 
in [Cortier and Warinschi, 2005]. The language is for protocols that use random nonces, public key encryp- 
tion and digital signatures, and uses labels to model the randomness used by these primitives. To each protocol 
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II with labels, we naturally associate a protocol II obtained by erasing all labels, and extend the transformation 
to execution traces. To each trace tr of II we associate a trace tr obtained by erasing labels and we extend this 
mapping to sets of traces. The first contribution of this paper is a proof that the transformation is sound. More 
precisely we prove that if tr is a valid trace of II (obtained by Dolev-Yao operations) then tr is a valid trace 
of II. Importantly, this result relies on the fact that the specification language that we consider does not allow 
equality tests between ciphertexts. We believe that a similar result holds for most (if not all) protocol speci- 
fication languages that satisfy the above condition. The language for specifying protocols (with and without 
labels) as well as the relation between their associated execution models are in Section 2. 

In Section 3 we give two logics, C\ and L\, that we use to express security properties for protocols with and 
without labels, respectively. Informally, the formulas of C\ are obtained by removing the labels from formulas 
of C\. Both logics are quite expressive. For example, it can be used to express standard formulations for secrecy 
and authenticity properties. 

Next we focus our attention on translating security properties between the two models. First, notice that 
the mapping between the model with and that without labels is not faithful since it looses information regarding 
inequality of ciphertexts. To formalize this intuition we give a protocol II and a formula <f> such that II satisfies <j> 
(the formula that corresponds to <j> in the model without labels), but for which II does not satisfy <j>. Anticipating, 
our example indicates that the source of problems is that <j> may contain equality tests between ciphertexts, and 
such tests may not be translated faithfully. The counterexample is in Section 4. 

The main result of the paper is a soundness theorem. We show that for a large class of security properties 
it is possible to carry out the proof in the model without labels and infer security properties in the model with 
labels. More precisely, we identify C l 2 and C 2 , fragments of C\ and C\ respectively, such that the following 
theorem holds. 

Consider an arbitrary protocol II and formula (f> in C 2 . Let </> be a formula in C 2 obtained by erasing the 
labels that occur in <j>. Then, it holds that: 

TT h 4> n |= 

The logics C l 2 and C 2 are still expressive enough to contain the secrecy and authentication formulas. The 
theorem and its proof are in in Section 4. 

2 PROTOCOL 

In this section we provide the syntax of protocols with labels. The presentation is adapted 
from [Cortier and Warinschi, 2005]. The specification language is similar to the one of 

Casrul [Rusinowitch and Turuani, 2001]; it allows parties to exchange messages built from identities and ran- 
domly generated nonces using public key encryption and digital signatures. Protocols that do not use labels 
are obtained straightforwardly. 

2.1 Syntax 

Consider an algebraic signature £ with the following sorts. A sort ID for agent identities, sorts SKey, VKey, 
EKey, DKey containing keys for signing, verifying, encryption, and decryption respectively. The algebraic sig- 
nature also contains sorts Nonce, Label, Ciphertext, Signature and Pair for nonces, labels, ciphertexts, signatures 
and pair, respectively. The sort Label is used in encryption and signatures to distinguish between different 
encryption/signature of the same plaintext. The sort Term is a supersort containing all other sorts, except SKey 
and DKey. There are nine operations: the four operations ek, dk, sk, vk are defined on the sort ID and return 
the encryption key, decryption key, signing key, and verification key associated to the input identity. The two 
operations ag and adv are defined on natural numbers and return labels. As explained in the introduction, the 
labels are used to differentiate between different encryptions (and signatures) of the same plaintext, created by 
the honest agents or the adversary. We distinguish between labels for agents and for the adversary since they 
do not use the same randomness. The other operations that we consider are pairing, public key encryption, and 
signing. 

We also consider sets of sorted variables X = X.nUX.aUX.cUX.s and X' = XUX .1. Here, X.n, X.a, X.c, X.s, X .1 
are sets of variables of sort nonce, agent, ciphertext, signature and labels, respectively. The sets of variables 
X.a and X.n are as follows. If k G N is some fixed constant representing the number of protocol participants, 
w.l.o.g. we fix the set of agent variables to be X.a = {A\, A 2 , . . . , A^}, and partition the set of nonce variables, 
by the party that generates them. Formally: X.n = LUex.<jX n (A) and X n (A) = {X J A \ j e N}. This partition 
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avoids to specify later, for each role, which variables stand for generated nonces and which variables stand for 
expected nonces. 

Labeled messages that are sent by participants are specified using terms in T l 
L ::= XI | ag(i) | adv(j) 

T l ::= X | a | ek(a) | dk(o) | sk(o) | vk(a) | n(a,j,s) \ (T l ,T l ) | {T<}f k(a) | [T']£ (o) 

where i, j G N, a G ID, j, s G N, a G ID. 

Unlabeled messages are specified similarly as terms in the algebra T defined by 

T ::= X | a | ek(a) | dk(a) | sk(a) | vk(a) | n(a,j,s) | (T ,T) | {T} ek(a) | [T] sk(a) 

where a G ID, j, s G N, a G ID. 

A mapping 7 : T l — > T from labeled to unlabeled terms is defined by removing the labels: {fc} m = 
Mm = [k]m, f(ti,-..,t n ) = f(ti, . . . ,t n ) otherwise. The mapping function is extended to sets of terms as 
expected. 

The individual behavior of each protocol participant is defined by a role that describes a sequence of message 
receptions/transmissions. A /c-party protocol is given by k such roles. 

Definition 1 (Labeled roles and protocols) The set Roles' of roles for labeled protocol participants is de- 
fined by Roles' = (({init} UT l ) x (T l U {stop}))*. A k-party labeled protocol is a mapping II : [k] — > Roles', where 
[k] denotes the set {1,2,..., k}. 

Unlabeled roles and protocols are defined very similarly. The mapping function is extended from labeled 
protocols to unlabeled protocols as expected. 

We assume that a protocol specification is such that n(j) = r{), (l^r^), ■ . .), the j'th role in the definition 
of the protocol being executed by player Aj. Each sequence ((h, n), (h, ^2), • • •) G Roles' specifies the messages 
to be sent/received by the party executing the role: at step i, the party expects to receive a message conforming 
to U and returns message n. We wish to emphasize that terms l\,r\ are not actual messages, but specify how 
the message that is received and the message that is output should look like. 

Example 1 The Needham-Schroeder-Lowe protocol [Lowe, 1996] is specified as follows: there are two roles 
11(1) and 11(2) corresponding to the sender's and receiver's role. 

A^B: {N a ,A} ek{B) 
B^A: {N a , N b , B} ek(A) 
A^B: {N b } ek{B) 

H(l) = (init,{Xi 1 ,A 1 }^ a) ) ) {{X\^X\ 2 ,A 2 }^ (Ai) ,{X\S^l)) 

n(2) = ({^^i}^),^,^,^^)), ({*Ue L k W st0 P) 

Clearly, not all protocols written using the syntax above are meaningful. In particular, some protocols 
might be not executable. This is actually not relevant for our result (our theorem also holds for non executable 
protocols). 

2.2 Execution Model 

We define the execution model only for labeled protocols. The definition of the execution model for unlabeled 
protocols is then straightforward. 

If A is a variable or constant of sort agent, we define its knowledge by kn(A) = {dk(A), sk(A)} U X n (A), i.e. 
an agent knows its secret decryption and signing key as well as the nonces it generates during the execution. The 
formal execution model is a state transition system. A global state of the system is given by (Sid,/, H) where 
H is a set of terms of T l representing the messages sent on the network and / maintains the local states of all 
session ids Sid. We represent session ids as tuples of the form (n,j, (cti, a 2 , ■ ■ ■ , cife)) € (N x N x ID*), where n G N 
identifies the session, ai, a 2 , . . . , a k are the identities of the parties that are involved in the session and j is the 
index of the role that is executed in this session. Mathematically, / is a function / : Sid — > ([X — > T l ] x N x N), 
where /(sid) = (<r, i,p) is the local state of session sid. The function a is a partial instantiation of the variables 
occurring in role II(z) and p G N is the control point of the program. Three transitions are allowed. 
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meS S ^b, ek(&), vk(6) b G Initial kn ™ led S e 

(mi , m 2 ) 



SM(mi,m 2 ) Sh ! m, 



■ i G {1, 2} Pairing and unpairing 



S h< ek(6) Sh'm s h i {m} / S y.1 dk(6) 

— ; — * G N . eK(D \ Encryption and decryption 

Jek(b) 



o i / r i adv(z) , 



S h 1 sk(6) S K m s^ 1 \m\ l , , 

o i / r ladv(z) , 

^ h Nsk(6) 5 Mm 



iETfi)— 2 G N Signature 

Si 

Figure 1: Deduction rules. 



(Sid,/, H) corrupt a i'---> a ' > ^sid, /, Ui<j<;kn(aj) U i/). The adversary corrupts parties by outputting a 
set of identities. He receives in return the secret keys corresponding to the identities. It happens only 
once at the beginning of the execution. 

The adversary can initiate new sessions: (Sid, /, H) new ('' ai '---' a *-) > (Sid', /', H') where H' , f and Sid' are 
defined as follows. Let s — |Sld| + 1, be the session identifier of the new session, where |Sld| denotes the 
cardinality of Sid. H' is defined by H' = H and Sid' = Sid U {(s,i, (oi, . . . , afe))}- The function /' is 
defined as follows. 

- /'(sid) = /(sid) for every sid G Sid. 

— f'(s, i, (ai, . . . , a k )) = (<r, i, 1) where <r is a partial function a : X — > T l and: 



<r(-i4j) = aj 1 < j < k 

o-(X 3 A ,) =n(ai,j,8) j EN 



We recall that the principal executing the role II(i) is represented by Ai thus, in that role, every variable 
of the form X\ . represents a nonce generated by Ai . 

The adversary can send messages: (Sid,/, H) { — >>. (Sid,/', H') where sid G Sid, m G T ; , if', 
and /' are defined as follows. We define /'(sid') = /(sid') for every sid' ^ sid. We denote LT(j) = 
{(li,r{), . . . , {l° k . 1 i J k i ))- f( s, d) = {<r,j,p) for some <r,j,p. There are two cases. 

— Either there exists a least general unifier 9 of m and P p a. Then /'(sid) = (<r U + 1) and 
H' = H U {rla6}. 

— Or we define /'(sid) = /(sid) and H 1 = H (the state remains unchanged). 

If we denote by SID = N x N x ID fc the set of all sessions ids, the set of symbolic execution traces is SymbTr' = 
(SIDx(SID^([X^T']xNxN))x2 T )*. The set of corresponding unlabeled symbolic execution traces is denoted 
by SymbTr. The mapping function 7 is extended as follows: if tr — (Sldo, fo, Ho), ■ ■ ■ , (Sld„, /„, H n ) is a trace 
of SymbTr', tr = (Sldo, fo, Ho), . . . , (Sld„, /„, H n ) G SymbTr where Sldj simply equal Sldi and fi : SID^([X^ 
T] xNxN)) with /"(sid) = (a,i,p) if /i(sid) = (a,i,p) and a(X) = a(X). 

The adversary intercepts messages between honest participants and computes new messages using the de- 
duction relation M defined in Figure 1. Intuitively, S \- 1 m means that the adversary is able to compute the 
message m from the set of messages S. All deduction rules are rather standard with the exception of the last 
one: The last rule states that the adversary can recover the corresponding message out of a given signature. 
This rule reflects capabilities that do not contradict the standard computational security definition of digital 
signatures, may potentially be available to computational adversaries and are important for the soundness result 
of [Cortier and Warinschi, 2005]. 
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Next, we sketch the execution model for unlabeled protocols. As above, the execution is based on a deduction 
relation h that captures adversarial capabilities. The deduction rules that define h are obtained from those of 
V- 1 (Figure 1) as follows. The sets of rules Initial knowledge and Pairing and impairing in are kept unchanged 
(replacing H by h, of course). For encryption and signatures we suppress the labels adv(i) and I in the encryption 
function {_}- and the signature function [_]- for rules Encryption and decryption and rules Signature. That 
is, the rules for encryption are: 

Shek(6) Shm Sh{m} ek(t) S h dk(6) 



S h {m} ek{b) S\-m 

and those for signatures are: 

S h sk(fe) Shm s h [m]sk(6) 

S \- Msk(b) S\-m 

We use the deduction relations to characterize the set of valid execution traces. We say that the trace 
(Sldi, /i, Hi), . . . , (Sld„, /„, H n ) is valid if the messages sent by the adversary can be computed by Dolev-Yao 

operations. More precisely, we require that in a valid trace whenever (Sldi, fi, Hi) ' — ► (Sld^+i, /j+i, 

we have Hi M to. Given a protocol II, the set of valid symbolic execution traces is denoted by Exec(II). The 
set Exec(n) of execution traces in the model without labels is defined similarly. We thus require that every sent 
message to' satisfies Hi h to'. 



Example 2 Playing with the Needham-Schroeder-Lowe protocol described in Example 1, an adversary can cor- 

i ad 

•ek(o 2 ) 



rupt an agent 03, start a new session for the second role with players 01, a 2 and send the message {^(03, 1, 1), ai} adv( 



to the player of the second role. The corresponding valid trace execution is: 

((h t (K\ corrupt (a 3 ) , new(2,oi,o 2 ) 

(0,/i,0) > (0,/i,kn(a 3 )) > 



send(sidi ,{n3,ai 1 \ ) 

({sid, },/*,!«.(«»)) L 



({sidi}, h, kn(a 3 ) U {{n 3 , n 2 , 02}^)}) , 



where sidi = (1, 2, (ai, a 2 )), n 2 = n(a 2 , 1,1), n 3 = n(a 3 , 1,1), and / 2 ,/3 are defined as follows: / 2 (sidi) = 
(<ri,2, 1), / 3 (sidi) = (cr 2 , 2,2) where ai(Ai) = ai, <7 1 (A 2 ) = a 2 , ai(X\ 2 ) = n 2 , and a 2 extends o\ by a 2 (X\ i ) = 
n 3 and a 2 (L\) = adv(l). 



2.3 Relating the labeled and unlabeled execution models 

First notice that by induction on the deduction rules, it can be easily shown that whenever a message is 
deducible, then the corresponding unlabeled message is also deducible. Formally, we have the following lemma. 

Lemma 1 S M m =>■ S h to 

Note that our main result holds for any deduction rules provided this lemma holds. 

Based on the above property we show that whenever a trace corresponds to an execution of a protocol, the 
corresponding unlabeled trace corresponds also to an execution of the corresponding unlabeled protocol. 

Lemma 2 tr £ Exec (II) => tr £ Exec (II). 

Proof. The key argument is that only pattern matching is performed in protocols and when a term with labels 
matches some pattern, the unlabeled term matches the corresponding unlabeled pattern. The proof is done by 
induction on the length of the trace. 

• Let tr = (SId , f , H ), where Sld and H are empty sets. We have H = H . f is defined nowhere, 
and so is /o. Clearly, tr = (Sld , /o, Ho) is in Exec(II). 

• Let tr £ Exec(n), tr = e ,...,e„ = (SIdo, fo, Ho), (SId n , /„, H n ), such that tr £ Exec(II). We have 
to show that if tr' = tr, (SId n+ i, f n +i, H n+ i) £ Exec(II), then we have tr' £ Exec(II). There are three 
possible operations. 
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1. corrupt(ai, ...,dk). It means that tr = (SIdo, fo, Ho), (Sldi, fi, Hi). In this case, we have Sldi = 
Sldo = 0, /i = fo and H\ = -ffoUlJ 1<i<fc kn(a,). We can conclude that tr = (SIdo, fo, Ho), (Sldi, /i, 

is in Exec(II), because there are no labels in Hi and /i is still not defined. 

2. new(i, oi, dfc). No labels are involved in this operation. The extension made to /„ is the same as 
is made to /„. Neither H n nor H n are modified, tr' = tr, (Sld n +i, f n +i, H n+ \) is a valid trace. 

3. send(s,m). 

First, we have to be sure that if m can be deduced from H n , then fn can be deduced from H n . This 
is Lemma 1. 

Note that Sld„ = Sld„ + i thus Sld„ = Sld n+ i. Let f n {s) = (a,i,p) and H(i) = (..., (l p , r p ), ...). We 
have two cases. 

— Either there is a substitution 9 with m — l p a9. Then f n +i(s) = (cr U 9, i,p + 1). Thus f n (s) = 
(a,i,p) and f n +i(s) = (a U 9,i,p+ 1). By induction hypothesis, tr is a valid trace. From 
m — l p a9 follows m = l p a9. We conclude that tr, (Sld„ + i, f n +i, H n+ i) = tr' is a valid trace, 
thus a member of Exec(II). 

— Or no substitution 9 with m = l p a9 exists. Then tr' = cq, e n , e n +i with e„ = e„+i. We 
must show that it is always possible to construct a message m! £ T, such that there exists no 
substitution 9' with m' — l p a9' . Then, from the validity of tr' and tr we can deduce the validity 
of tr', because — e n +i- 

Either there exists no substitution 9' such that m = l p o9' . In that case, we choose m! = m. 
Or let 9' be a substitution such that m = l p a8' . Then the matching for m fails because of labels. 
This can be shown by contradiction. Assume m contain no label, i. e. m does not contain 
subterms of the form {OL(a ) or Wsk(a •)> ^ E T. In that case, we have m — m by definition. 
>From m = l p a9', we deduce that m — l p a9' , contradiction. 

We deduce that m contains some subterm of the form {t} e k( ai ) or [t] s k(oi)- ^he fact m = ^ct^' 
implies that Z p has to contain one of the following subterms: {t'} e k(A i ), [^']sk(A i ) with t' e T or, 
a variable of sort ciphertext or signature. 

Then, we choose m! — a for some agent identity a G X.a. The term a is deducible from H n . Now, 
the matching of m' with l p always fails, either because of the encryption or signature occurring 
in l p or because of type mismatch for a variable of type ciphertext or signature in l p . 

3 A LOGIC FOR SECURITY PROPERTIES 

In this section we define a logic for specifying security properties. We then show that the logic is quite expressive 
and, in particular, it can be used to specify rather standard secrecy and authenticity properties. 

3.1 Preliminary definitions 

To a trace tr — ei, e n = (Sldi, fi, Hi), (SId n , f n , H n ) G SymbTr we associate its set of indices 1(tr) = 
{i | €i appears in the trace tr}. 

We also define the set of local states CSi tP (tr) for role i at step p that appear in trace tr by CSi :P {tr) = 
{(<r,i,p) | 3s G Sldfe,fc el(tr), such that fk(s) = (a,i,p)}. 

We assume an infinite set Sub of meta- variables for substitutions. We extend the term algebra to allow 
substitution application. More formally, let T l Sub be the algebra defined by: 

C ::= q(xi) | ag(i) | adv(j) 

T l Sub ::= | a \ ek(a) | dk(a) | sk(o) | vk(a) | (T l Sub ,T l Sub ) \ {4„Jf k(a) | [T<Jf k(a) 

where xi G X.Z, <^ G Sub, i, j G N, x G X, a G ID. The unlabeled a lgebra Ts u b is d efined similarly. The mapping 
function between the two algebras is defined by: <;{x) = <;{x), {k}\ n = {k}m, [k] l m — [k]m, f(ti, ■ ■ ■ , t n ) = 
f(ti, . . . , t n ) otherwise. 

3.2 Security Logic 

In this section we describe a logic for security properties. Besides standard propositional connectors, the logic 
has a predicate to specify honest agents, equality tests between terms, and existential and universal quantifiers 
over the local states of agents. 
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1 if t G ID and t does not appear in a corrupt action, i.e. 
tr = ei, e 2 , e n and 

[NC{tr,t)\ = { corrupt(a lr .. !at ) 

Voi, . . . ,a,k, s.t. ei >e 2 ,t^a l 

otherwise 

uy j- mi f 1 if *i = ^2 (syntactic equality) 

- i2)J - \ otherwise 

hF(tr)] = -.[F(tr)] 

[Fi(tr)AF 2 (tr)] - [Fi(tr)] A [F 2 (tr)] 

[fi('OVF 2 (tr)] = [Fi(tr)]V[F 2 (tr)] 

[V£5 4p (tr).,F(tr)] = P if ^ ^) e ^(ir), we have [F(ir) M = 1, 
11 ' lx " [0 otherwise. 

Figure 2: Interpretation. 



Definition 2 TTie formulas of the logic £\ are defined as follows: 

F(tr) ::= NC{tr, ti) \ (ii = t 2 ) \ -^F(tr) \ F(tr) A F{tr) \ F(tr) V F{tr) 
V£S l , p (tr).<; F(tr) \ 3£S itP (tr).<; F{tr) 

where tr is a parameter of the formula, i,p G N, c G 5tt6, ii and i 2 are terms of T l Sub . Note that formulas are 
parametrized by a trace tr. As usual, we may use <j>\ — > 4> 2 as a shortcut for -Kpi V cf> 2 . 

We similarly define the corresponding unlabeled logic £\\ the tests {t\ — t 2 ) are between unlabeled terms 
t\ , t 2 over T su b . The mapping function 7 is extended as expected. In particular NC(tr, t) = NC(tr,i), (t\ = t 2 ) = 
(*i = h), V£S hp (tr).<; F{tr) = V£<S i;P (if).<r F(tr) and B£S iiP (tr).<; F(tr) = 3£S WP (TF).^ F(tr). 

Here, the predicate NC(tr,t) of arity 2 is used to specify non corrupted agents. The quantifications 
\f£Si iP (tr).<; and 3£Si^ p (tr).q are over the local states in the trace that correspond to agent i at control 
point p. The semantics of our logic is defined for closed formula as shown in Figure 2. 

Next we define when a protocol II satisfies a formula <j> G £\. The definition for the unlabeled execution 
model is obtained straightforwardly. Informally, a protocol II satisfies cf) if 4>(tr) is true for all traces tr of II. 
Formally: 

Definition 3 Let <j> be a formula and II be a protocol. We say that II satisfies security property 4>, and write 
n |= (f> if for any trace tr G Exec(II), [</>(£?")] = 1. 

Abusing notation, we occasionally write cf) for the set {tr \ \<f){tr)\ = 1}. Then, II |= (j) precisely when 
Exec(n) C cj). 

3.3 Examples of security properties 

In this section we exemplify the use of the logic by specifying secrecy and authenticity properties. 
3.3.1 A secrecy property 

Let 11(1) and 11(2) be the sender's and receiver's role of a two-party protocol. To specify our secrecy property 
we use a standard encoding. Namely, we add a third role to the protocol, 11(3) = (X\ 3 , stop), which can be 
seen as some sort of witness. 

Informally, the definition of the secrecy property 4> s states that, for two non corrupted agents A\ and A 2 , 
where Ax plays role 11(1) and A 2 plays role 11(2), a third agent playing role 11(3) cannot gain any knowledge 
on nonce X\ i sent by role 11(1). 



Mtr)^y£S 1A (tr).,y£S^ 2 (tr).,' [NC(tr, <;(Ai)) A NC(tr, s(A 2 )) - -(<r'(*A 3 ) = c(*A 2 ))] 
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3.3.2 An authentication property 

Consider a two role protocol, such that role 1 finishes its execution after n steps and role 2 finishes its execution 
after p steps. For this kind of protocols we give a variant of the week agreement property [Lowe, 1997b]. 
Informally, this property states that whenever an instantiation of role 2 finishes, there exists an instantiation 
of role 1 that has finished and they agree on some value for some variable and they have indeed talked to each 
other. In our example we choose this variable to be X\ . Note that we capture that some agent has finished 
its execution by quantifying appropriately over the local states of that agent. More precisely, we quantify only 
over the states where it indeed has finished its execution. 

Mtr) = V£S 2 , p (tr).^ 3£S 1>n (tr).^ 

[NCitr,^)) A NC(tr,,'(A 2 )) - (^J = .'(X^)) A (,(A 2 ) = ,'{A 2 )) A (.(A,) = ,'(A 1 ))} 

Notice that although in its current version our logic is not powerful enough to specify stronger versions of 
agreement (like injective or bijective agreement), it could be appropriately extended to deal with this more 
complex forms of authentication. 

4 MAIN RESULT 

Recall that our goal is to prove that II |= <f> => II |= <j>. However, as explained in the introduction this 
property does not hold in general. The following example sheds some light on the reasons that cause the desired 
implication to fail. 

Example 3 Consider the first step of some protocol where A sends a message to B where some part is intended 
for some third agent. 

A —fB: {N ai {iVa}ek(C)> { N a}ek(C)}ek(B) 

The specification of the programs of A and B that corresponds to this first step is as follows (in the definition 
below C\ 2 and C\ 2 are variables of sort ciphertext) . 

n(i) = (init^^xmjgij.mjSS,)))^)) 

n(2) = ({(X^iC^C^m^stop) 

We assume that A generates twice the message {-/V a } e k(C)- Notice that we stop the execution of B after it 
receives the first message since this is sufficient for our purpose, but its execution might be continued to form 
a more realistic example. 

Consider the security property <pi that states that if A and B agree on the nonce X\ then B should have 
received twice the same ciphertext. 

M^) = yCS ia (tr).c; \/CS 2 , 2 {tr).s' 

NC{tr,,{A^))ANC{tr,,{A 2 )) A W^J = ,\X\J) (,\C\ 2 ) = ,'{C\ 2 )) 

This property clearly does not hold for any normal execution of the labeled protocol since A always sends 
ciphertexts with distinct labels. Thus Ii^= 4>\. 

On the other hand, one can show that we have II |= <f>i in the unlabeled execution model. Intuitively, this 
holds because if A and B are honest agents and agree on X\ , then the message received by B has been emitted 
by A and thus should contain identical ciphertexts (after having removed their labels). 

4.1 Logic C l 2 

The counterexample above relies on the fact that two ciphertexts that are equal in the model without labels 
may have been derived from distinct ciphertexts in the model with labels. Hence, it may be the case that 
although t\ ^ t 2 =>■ t\ ^ t 2 , the contrapositive implication t\ = t 2 t\ = t 2 does not hold, which in turn 
entails that formulas that contain equality tests between ciphertexts may be true in the model without labels, 
but false in the model with labels. In this section we identify a fragment of £[, which we call C l 2 where such 
tests are prohibited. Formally, we avoid equality tests between arbitrary terms by forbidding arbitrary negation 
over formulas and allowing equality tests only between simple terms. 
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Definition 4 A term t is said simple if t £ X.a U X.n or t = a for some a £ ID or t — n(a,j, s) for some 
a £ ID, j,s £ N. 

An important observation is that for any simple term t it holds that t = t. 

Definition 5 The formulas of the logic C l 2 are defined as follows: 

F(tr) ::= NC(tr, h) \ ^NC(tr, h) \ F(tr) A F{tr) \ F{tr) V F{tr) \ (h ^ t 2 ) \ ( Ul = u 2 ) | 
V£S iiP (tr).s F(tr) \ 3CS ltP {tr).^ F(tr), 

where tr £ SymbTr is a parameter, i,p £ N, t\,t 2 £ T l Sub and tti, u 2 are simple terms. 

Since simple terms also belong to T l Sub , both equality and inequality tests are allowed between simple terms. 
The corresponding unlabeled logic C 2 is defined as expected. Note that C l 2 £ C[ and C 2 <Z C\. 

4.2 Theorem 

Informally, our main theorem says that to verify if a protocol satisfies some security formula 4> in logic C l 2 , it is 
sufficient to verify that the unlabeled version of the protocol satisfies <j>. 

Theorem 1 Let II be a protocol and cf) £ C l 2 , then H\= <f> =>Ti\= 4>. 

Proof. Assume II |= <j>. We have to show that for any trace tr £ Exec(II), [0(ir)] = 1. >From lemma 2 it 
follows that tr £ Exec(LT), thus [</>(£?")] = 1, since II \= cf>. Thus, it is sufficient to show that [0(ir)] [0(ir)J. 
The following lemma offers the desired property. 

Lemma 3 Let <fi{tr) £ C l 2 for some tr £ SymbTr, [</>(£?")] implies \<f>(tr)\. 
Proof. The proof of the lemma is by induction on the structure of 4>{tr). 

• <j>(tr) = NC(tr,t) or cj>(tr) = -^NC(tr,t). {NC(tr,t)j = 1, if and only if t £ ID and t does not occur in a 
corrupt event for the trace tr. This is equivalent to t £ ID and t does not occur in a corrupt event for 
the trace tr. Thus {NC(tr,t)j = 1 if and only if {NC(tr,t)j = lNC(tr, t)j = 1. 

• 4>(tr) — (ti t 2 ). We have that 4>{tr) — (ti ^ t 2 ) holds. Assume by contradiction that 4>{tr) does not 
hold, i.e t\ —t 2 . This implies t\ = t 2 , contradiction. 

• 4>(tr) = (ui = u 2 ) with u\,u 2 simple terms. We have that 4>(tr) = (ui — u^) holds. Since u\ and u 2 are 
simple terms, we have ul = m, thus u\ = u 2 . We conclude that <fi{tr) holds. 

• The cases (j>(tr) = 4>\{tr) V 4>2(tr) or <p{tr) = <fii(tr) A <pi{tr) are straightforward. 

• <j>(tr) = V£Si{tr).<; F(tr). If 0(F) holds, this means that for all {6,i,p)) £ £«S 4 , P (F), [F(F)[6»/cr]] = 1. 

Let (0',i,p) £ £Si, p (tr). We consider \F{tr)[6' /<?]]. Since tr £_Exec(II) implies F £ Exec(TT) (Lemma 2), 
we have (6',i,p) £ £<S i;P (F). By induction hypothesis, [^(F)^/^]] = 1 implies that \F{tr)[6' /<;]} = 1. It 
follows that 

y(e',i,p)e£S i , p (tr) lF(tr)[6'/<;}} = 1. 

Thus, <p{tr) holds. 

• 4>(tr) = 3CSi{tr).q F(tr). If 4>{tr) holds, this means that there exists (9,i,p)) £ CSi P (tr), such that 

[F(F)[0/<r]] = 1. 

By definition of the mapping function, there exists (9',i,p) £ CSi tP (tr) such that 9' = 9. By induction 
hypothesis, [F(tr)[6' /?]] = 1. Thus there exists 9', such that {F(tr)[6' /<;]} = 1. Thus, (p(tr) holds. 
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5 DISCUSSION 

We conclude with a brief discussion of two interesting aspects of our result. First, as mentioned in the introduc- 
tion, the only property needed for our main theorem to hold is that the underlying deduction system satisfies 
the condition in Lemma 1, that is S h l m => S h m. In fact, an interesting result would be to prove a more 
abstract and modular version of our theorem. 

Secondly, a natural question is whether the converse of our main theorem holds. We prove that this is not 
the case. More precisely, we show that there exists a protocol II and a property 4> such that II \= 4> but II \^ 4>. 
Let II be the protocol denned in Example 3. Consider a security property (j>2 that states on the contrary that 
whenever A and B agree on the nonce X\ then B should have received two distinct ciphertexts. Formally: 

Mtr) = V£5i l2 (tr).? V£S 2 ,2(*rK 

NCitr^iA^ANCitr,^)) A (,(X\J = ,\X\J) (,'(C\ 2 ) ± ,'(C\ 2 )) 

where C\ and C\ 2 are variables of sort ciphertext. 

This property clearly does not hold for any honest execution of the unlabeled protocol since A always sends 
twice the same ciphertext, and thus II Y= <p2- On the other hand however, one can show that this property holds 
for labeled protocols since, if A and B are honest agents and agree on X\ , it means that the message received 
by B has been emitted by A and thus contains two distinct ciphertexts. Thus, Ii\= 4>2- We conclude that, in 
general, Tl\= <j> does not imply II |= <j>. 
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